This document provides information about Walt Murray and his experience in quality and compliance consulting. It summarizes Walt Murray's role and experience as the CEO of ARC Experts, where he leads their quality and compliance consulting services team. The document notes that Walt Murray has over 32 years of experience in quality management and regulatory affairs. He has performed over 400 audits for highly regulated companies. The remainder of the document covers topics related to ISO 9001 standards and risk-based thinking approaches.

2. Walt Murray
CEO
Walt Murray President and CEO of ARC Experts is representing
Quality and Compliance Consulting (QCC) services team for Master
Control, Inc. Walt is a globally recognized compliance and risk
consultant, is a quality management and regulatory affairs professional
with more than 32 years of experience working with internationally
recognized, highly regulated companies, including Aventis, Merck etc.
Walt has performed more than 400 1st, 2nd and 3rd-party audits.
Contact Information
walt.murray@arcexperts.com
www.arcexperts.com
linkedin.com/walt.murray

3. Risk: How Big of a Deal?
ISO 9001:2008 ISO 9001:2015
3 “risk’ mentions 43 “risk” mentions

4. Overview
A key change in the 2015 revision is to establish a systematic
approach to risk, rather than treating it as a single component of a
quality management system.
• In previous editions of ISO 9001, a clause on preventive action
was separated from the whole. Now risk is considered and
included throughout the standard.
• By taking a risk-based approach, an organization becomes
proactive rather than purely reactive.
ISO 9001:2015 September 23rd (3 years!)

5. Overview (continued)
New language in the final draft international standard of ISO
9001 focuses on “risk- based thinking,” although it stops short
of actual “risk management.” As a result, the international
community is wrestling with how best to handle risk.
What does ISO 9001:2015 ask for?

6. Overview (continued)
In ISO 9001:2015 organizations are also asked to “address risks and
opportunities.”
How do we do that?

7. “Risk Based Thinking”
What is it?
(from ISO/TC 176/SC2)
“Risk-based thinking is something we all do automatically.”
“Risk-based thinking has always been in ISO 9001 – this revision
builds it into the whole management system.”
“Risk-based thinking is already part of the process approach.”

8. Case Study
Engineering orientation to risk based thinking!

9. Benefits of “Risk Based Thinking”
Benefit Example
Prioritize Resources Preparation for an
Audit/Inspection, CAPA
prioritization, etc.
Improve Customer Rapport Deal with complaints that
matter, escalate efficiently
serious issues to the proper
channel
Consistency in Products and
Services
Cost of Quality (CoQ) Curve
Objective evaluations Supplier Selection, Audit
Observations, etc.
Moves towards Proactive vs
Reactive
PA versus CA

10. How to Use Risk Based Thinking?
What is required?
•Identify what the risks and opportunities are in your
organization (hint: it depends on context)
Note: ISO 9001:2015 does not require you to carry out a
full, formal risk assessment
ISO 31000 (Risk management & Principles and
guidelines) is a useful reference (note: it is not
mandated)

11. “Risks and Opportunities”
Key Concepts:
•Analyze and prioritize the risks and
opportunities in your organization
•what is acceptable?
•what is unacceptable?
•Plan actions to address the risks
•how can I avoid or eliminate the risk?
•how can I mitigate the risk?
•Implement the plan – take action
•Check the effectiveness of the actions
•does it work?
•Learn from experience – continual improvement

12. Let’s analyze the risks and opportunities

13. ISO 9001:2015?
Part 1: Where is “Risk” mentioned in

14. Where is Risk Mentioned in 9001:2015?
Introduction
0.1 General:
“The risks associated with its context and objectives”
0.3 Process approach:
“….with an overall focus on risk based thinking"
0.5 “Risk-based thinking”:
“Risk is the effect of uncertainty on an expected result and the concept of risk-
based thinking has always been implicit in ISO 9001”
0.6 Compatibility with other management system standards:
“Processes for planning and consideration of risks and opportunities”

15. Where is Risk Mentioned in 9001:2015?
3. Terms and definitions
3.09 Risk:
“effect of uncertainty on an expected result”

16. Where is Risk Mentioned in 9001:2015?
4 Context of the organization
4.4 Quality management system and its processes:
“the risks and opportunities in accordance with the requirements
of 6.1, and plan and implement the appropriate actions to address
them”

17. Where is Risk Mentioned in 9001:2015?
5 Leadership
5.1.2 Customer focus:
“the risks and opportunities that can affect conformity of products
and services and the ability to enhance customer satisfaction are
determined and addressed”

18. Where is Risk Mentioned in 9001:2015?
6 Planning for the quality management system
6.1 Actions to address risks and opportunities:
“When planning for the quality management system, the
organization shall consider the issues referred to in 4.1 and the
requirements referred to in 4.2 and determine the risks and
opportunities that need to be addressed”

19. Where is Risk Mentioned in 9001:2015?
8 Operation
8.5.5 Post-delivery activities:
“the risks associated with the products and services”

20. Where is Risk Mentioned in 9001:2015?
9 Performance evaluation
9.3 Management review:
“the effectiveness of actions taken to address risks and
opportunities (see clause 6.1)”

21. Where is Risk Mentioned in 9001:2015?
APPENDIX
A.4 Risk-based approach:
“Although risks and opportunities have to be determined and addressed, there
is no requirement for formal risk management or a documented risk
management process”
A.7 Organizational knowledge:
“…additional knowledge needs to take account of the organization’s context,
including its size and complexity, the risks and opportunities it needs to
address…”
A.8 Control of externally provided products and services
“The organization is required to take a risk-based approach to determine the
type and extent of controls appropriate to particular external providers and
externally provided products and services.”

22. ISO 9001:2015
Part 2: Risk Tools for

23. Risk Tools
What the standard doesn’t require:
Remember: the standard DOES NOT prescribe a methodology or
require a documented process for risk-based thinking.
Ultimately, it is up to an organization to choose a suitable process or
specific methodology to address risk.

24. Risk Tool Selection
Choose Wisely…
(From ISO 31010):
“it should be justifiable and appropriate to the situation or organization
under consideration;”
“it should provide results in a form which enhances understanding of the
nature of the risk and how it can be treated;”
“it should be capable of use in a manner that is traceable, repeatable and
verifiable.”

25. Risk Tool Selection (part 2)
Consider:
• the objectives of the study;
• the needs of decision-makers;
• the type and range of risks being analyzed;
• the potential magnitude of the consequences;
• the degree of expertise, human and other resources needed;
• the availability of information and data;
• the need for modification/updating of the risk assessment, and
• any regulatory and contractual requirements.

26. Risk assessment process
Risk analysisTools and techniques Risk
Identification Consequence Probability Level of risk
Risk
evaluation
See
Annex
Brainstorming SA1)
NA2)
NA NA NA B 01
Structured or semi-structured
interviews
SA NA NA NA NA B 02
Delphi SA NA NA NA NA B 03
Check-lists SA NA NA NA NA B 04
Primary hazard analysis SA NA NA NA NA B 05
Hazard and operability studies
(HAZOP)
SA SA A3) A A B 06
Hazard Analysis and Critical Control
Points (HACCP)
SA SA NA NA SA B 07
Environmental risk assessment SA SA SA SA SA B 08
Structure « What if? » (SWIFT) SA SA SA SA SA B 09
Scenario analysis SA SA A A A B 10
Business impact analysis A SA A A A B 11
Root cause analysis NA SA SA SA SA B 12
Failure mode effect analysis SA SA SA SA SA B 13
Fault tree analysis A NA SA A A B 14
Event tree analysis A SA A A NA B 15
Cause and consequence analysis A SA SA A A B 16
Cause-and-effect analysis SA SA NA NA NA B 17
Layer protection analysis (LOPA) A SA A A NA B 18
Decision tree NA SA SA A A B 19
Human reliability analysis SA SA SA SA A B 20
Bow tie analysis NA A SA SA A B 21
Reliability centred maintenance SA SA SA SA SA B 22
Sneak circuit analysis A NA NA NA NA B 23
Markov analysis A SA NA NA NA B 24
Monte Carlo simulation NA NA NA NA SA B 25
Bayesian statistics and Bayes Nets NA SA NA NA SA B 26
FN curves A SA SA A SA B 27
Risk indices A SA SA A SA B 28
Consequence/probability matrix SA SA SA SA A B 29
Cost/benefit analysis A SA A A A B 30
Multi-criteria decision analysis
(MCDA)
A SA A SA A B 31
1)
Strongly applicable.
2) Not applicable.
3)
Applicable.

27. Easy: Brainstorming
Brainstorming involves stimulating and
encouraging free-flowing conversation
amongst a group of knowledgeable people to
identify potential failure modes and associated
hazards, risks, criteria for decisions and/or
options for treatment. The term
“brainstorming” is often used very loosely to
mean any type of group discussion. However
true brainstorming involves particular
techniques to try to ensure that people's
imagination is triggered by the thoughts and
statements of others in the group.

28. Easy: Structured Interviews
In a structured interview, individual
interviewees are asked a set of prepared
questions from a prompting sheet which
encourages the interviewee to view a
situation from a different perspective and
thus identify risks from that perspective.
A semi-structured interview is similar, but
allows more freedom for a conversation
to explore issues which arise.

29. Points of risk due to:
 lack of criteria or planned execution
 poor critical thinking skills
 allowance for “fudging” aspects between activities
 not knowing the level of risk

30. November 30, 2016 30
Audit
Team DEC 2016- DEC 2017
Month/Year
Focusareas
Planned
Conducted
Business
Model
Areas/
Function
TopMgmt
MRTeam*
PdtPlanning
QA
QC
Producment
Suppliers
ReceivingQC
Chngecontrol
In-ProcessQC
ProdCC
Label&Pkg
Personnel
Facilities
Maintenance
Comments
(Part 11, 211, 820, etc. items)
4.1 Quality Mgmt System 13-Jan QM/ MR Minutes/
4.2 Documentation 26-Dec Change control; format; Control
5.0 Management Responsibility 26-Dec Agendas; Participation; Actions
6.2 Resources Allocation 26-Dec QP/Job Desc's; Training; Responsibilities
6.3 Infrastructure 13-Jan Maintenance of facility to GMP/Changes/Events
6.4 Work Environment 27-Dec GMP application for hygiene, mfg, security, docs
7.1 Product/Process Planning 13-Feb Quality Plan, QM, Risk in IQA, Suppliers, Testing
7.2 Customer Requirements 13-Mar Review of Customer Specs/MMR development
7.3 Design & Development TBD Done by UAS. Auditing in 1Q 2013 with transfer
7.4 Purchasing 25-Jan Qualification of suppliers
7.5 Provision of Product 18-Dec MMRs to BMRs/review/approval
7.6 Calibration Capability 10-Jan By contract and in the field
8.2.1 M&M Customer 1Q Progress Reviews
8.2.2 Internal Audits 18-Dec Initially by contractor
8.2.3 M&M Processes 18-Dec Desktop for all processes, SOPs,Wis, Protocols
8.2.4 M&M Products 18-Dec BMRs/Logs/Reports, Raw Matl testing, CofAs
8.3 Control of Nonconformity 27-Dec NCR form and records
8.4 Analysis of Data 1Q Use data from NCRs
8.5.1 Continual Improvement 1Q Mgmt Review actions
8.5.2 Corrective Action 27-Dec Records of improvement actions
8.5.3 Preventive Action 28-Dec Records of improvement actions
AUDIT PLAN/SCHEDULE PREPARED BY: (*MR = Management Review)Gopul K Tunga
NOTES:
12/18/2016
Any IAFs generated to showing where improvements are
identified in the process above and timeline
Audit
No. Audit Dates
AUDIT ELEMENT &
DESCRIPTION
ISO 9001: 2000 &
21 CFR Part XXX
Validation Activity for processes
Accomplished with Internal Auditing

31. Why be concerned?
©2008PathWise,
Inc.QualityEvents
Escalation

32. PRACTICLE APPROACH FOR RISK (Product/Process/System)

33. Case Study 2: Eyjafjallajökull
What Risk Tools should be used?
STOP! Do not pass go…
Where’smystuff!?!?!?!?!?!

34. The cloud of ash from the Icelandic volcano which has
wreaked havoc on passengers and airports across Europe
has also had significant global effects. The International Air
Transport Association estimates that the ash crisis has led to
the cancellation of hundreds of thousands of flights and cost
the world's airlines many billions of dollars. Some airlines
may not recover from the losses incurred.
Risk is all about uncertainty or, more importantly, the effect
of uncertainty on the achievement of objectives. On 15
November 2009, ISO published ISO 31000:2009, Risk
Management – Principles and guidelines, to help industrial,
commercial and public sector organizations to confidently
address such risks.

35. BOWTIEANALYSIS

36. Summary
Risk is here: get used to it
•Mentioned 43x in the new update (vs 3x)
•Risk-Based Thinking – it’s everywhere
•It’s more than just risk: it’s opportunities
•Use the correct tool for the job
•And if nothing else:
PS: DON’T RUN ELECTRICITY THROUGH A
POOL

37. ISO 9001 Training Course
 ISO 9001 Introduction
1 Day Course
 ISO 9001 Foundation
2 Days Course
 ISO 9001 Lead Implementer
5 Days Course
 ISO 9001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://www.pecb.com/iso-9001-training-courses| www.pecb.com/events

38. THANK YOU
?
walt.murray@arcexperts.com
www.arcexperts.com
linkedin.com/walt.murray